Information Security 2023

Data security course, in English as you asked.

Understand adversarial view on security. Recognize key concepts of security. Be able to safely practice hands-on with security tools.

Course name and code: Information Security ICI002AS2AE-3001
Timing 2023 period 3, early spring, w03-w11
Credits 5 cr
Classes Wednesdays 08:15 - 13:45, blended, mandatory participation
Max students 30
Language English
Type Blended. Two contact meetings in Pasila, the rest is remote video conference.
Feedback 4.6 / 5 Excellent feedback Five star experience *
Services Moodle, Jitsi, Laksu
First class 2023-01-18 w03 Wed 08:15 Pasila pa3014, physically present with your laptop

* From Data Security course from previous curriculum. This is the first instance of Information Security. I'm giving other security courses, too. Penetration testing (challenging course in Finnish) has reached excellent 5.0 /5, with every participant giving feedback. And Master level (YAMK) Trust to Blockchain has gotten to excellent 4.9 /5.

Agenda

Wednesdays 08:15 to 13:45. Early spring 2023, period p3, weeks w03 to w11.

Two contact meetings, first w03 and last w11. The rest are online video conference in Jitsi. All classes require active participation.

Date Theme
2023-01-18 w03 Wed Organizing. Fundamentals. Practice environments. Contact in Pasila pa3014.
2023-01-25 w04 Wed Web security. Cyber kill chain.
2023-02-01 w05 Wed Threath modeling. ATT&CK. 9 Miska Kytö, Sulava: My day & zero trust networking.
2023-02-08 w06 Wed Recon. Practice environments.
2023-02-15 w07 Wed Encryption.
(w08 is holiday) (no classes on winter holiday)
2023-03-01 w09 Wed Passwords and hashes. Gaillard: Hacking X509 *.
2023-03-08 w10 Wed Presentations.
2023-03-15 w11 Wed Presentations. Contact in pa3014.

The themes will be updated during the course, but the dates will stay the same. There will be just two contact meetings, and their dates are already final. So you can safely book these on your calendar.

Goals

After completing this course, you will

  • Understand adversarial view on security
  • Recognize key concepts of security
  • Be able to safely practice hands-on with security tools

Hands-on exercises will emphasize environments fully controlled by you, using free open source software in your possession.

Assessment

  • Active participation in classes
  • Homework (66%)
  • Presentation (33%)

Evaluation of the course is based on totality of the work presented.

Previous courses

This is the first instance of Information Security. But check out my similar course from previous curriculum, Data Security:

Homework

Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing.

Each homework is returned

  • 24 h before start of next lecture
  • you can publish your homework report in any website you like
  • return a link to Laksu
  • cross-evaluate two other homeworks

To save everyone's time, I will remove those from the course who don't return homework.

Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work, it seems to help getting job offers. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group.

The homeworks are official after they are given in the class. Don't start them before, because they might change.

h1 First steps

Become a hacker, step 0

Start the homework only after you've accepted the rules in course Moodle.

Tips:

  • Why are these tasks just the right level? To prepare you for learning hacker skills in this course.
  • Why are these tasks so hard? => See below, "If you get stuck".
  • Why are these tasks so easy? => Because you've practiced before, good for you. Also do voluntary bonus tasks above for some challenge and development. Still too easy? Contact me for special arrangements, I want you to spend your time efficiently.
  • In "Read and summarize":
    • read first, then summarize
    • summarize key content
      • not just headings
      • don't just describe the article, tell the main things it says
    • add a question, an idea or a comment of your own to each article
  • Yes, you're expected to read the friendly manuals, Google/Duck, and try multiple approaches
  • Refer & link any sources you use
    • Course / the classes
    • Homework assingments
    • Homework reports by other students
    • Any web pages
    • Manuals, Articles, Man pages...
    • Referencing your sources is required
  • When reporting tests on a computer
    • Write while you work
    • Save often
    • Explain why
    • Have some screenshots
    • If some command output is very long, only quote relevant parts (if you want, you can put the long text as an appendix or behind a link)
  • If you get stuck
    • Don't worry: Computers are cranky, that's why they pay hackers well
    • Solve and report all parts you can do
    • Return your partial report in time
    • Google/Duck. That's what the pros do, too. Write down a reference to the sources you used.
    • If you need to look at a walktrough (an exact solution to this homework, task or flag), clearly mark where you needed it.
    • Solve the trouble part as far as you can. Report all approaches taken.
    • Ask about the challenges in the class, likely someone else had the same thing
  • Bandit uses SSH. In Linux, that's 'ssh tero@example.com', and it might also work in new Windowses. For older Windowses, you can also use Putty SSH.
  • Read my (Tero's) articles on how to install Debian & WebGoat before you start
  • To see some example solutions for homeworks, Google/Duck my name + course name, e.g. "Tero Karvinen Penetration Testing" without the quotes.
  • Be safe: in this homework, only attacks you perform are to webgoat running on the localhost of your own computer

h2 Goat

Remember to keep it safe, legal and ethical. Especially if you grasp OWASP 10, you still can't try these to machines you don't own.

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
  • a) Sequel. Solve SQLZoo:
    • 0 SELECT basics
    • 2 SELECT from World, from first subtask to 5 "France, Germany, Italy"
  • b) Injected. Solve WebGoat:
    • A1 Injection (intro)
  • m) Voluntary bonus: Pick your tasks from SQLZoo 1, 3-9.
  • n) Voluntary difficult bonus: WebGoat: SQL Injection (advanced).
  • o) Voluntary difficult bonus: Install a relational database, show CRUD operations using SQL
  • q) Voluntary difficult bonus: Demonstrate aggregate functions (SUM, COUNT) with your own data you created in the previous step.
  • p) Voluntary difficult bonus: Install a practice target for SQL injections, exploit it.
  • r) Voluntary difficult bonus: Demonstrate JOIN with your own database

Tips:

  • Pick a CVE:
    • You can get inspiration from CVETrends or many other CVE sites.
    • Or straight from the horse's mouth: Mitre: CVE and @CVEnew in Twitter.
    • You can check Hacker News, Twitter or general news sites for CVEs that are notorius.
    • If you stumbled upon a super complicated CVE and can't understand what it even means, pick a simpler one.
  • Darknet diaries
    • If you pick an episode that's not the last one, you're more likely to pick an episode that's not the same one everyone else picked.
    • Yes, I know it's great podcast. A good choice to get up to speed with famous security incidents.
    • AntennaPod is convenient Android program for listening podcasts. It's available in F-Droid and Google Play. Of course, there are hundreds if not thousands other programs for podcasts, too.
    • Pick any episode. Check descriptions, and pick one that's likely to be suitable here.
    • What did you learn? Point out threat actors, exploits, vulnerabilities and impact. How could defenders mitigate the attack better? How could the attackers improve their attack?
  • SQLZoo
    • If you've got a lot of experience with databases already and SQLZoo is too easy, you can do the difficult voluntary bonus instead "Install relational database, show..."
    • Yes, I think they really run your queries on database management system
  • WebGoat
    • What kind of quotes did SQL have?
    • If you raise everyone's salaries, are you the richest anymore?
    • The names here are the same as in OWASP 10 2021 and OWASP 10 2017.
    • In injections, it's nice to know:
      • SQL string delimiter (single quote, aphostrophe) "'" (end of user input, start of my hostile injection)
      • SQL comment (double dash) "--" (end of my evil injection, you can ignore the rest, dear database management system)
      • There are many ways to do SQL injection

h3 Attaaack

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
    • € Costa-Gazcón 2021: Practical Threat Intelligence and Data-Driven Threat Hunting Chapter 4: Mapping the Adversary (all but "Testing yourself", which is left as voluntary bonus)
  • y) Write an answer with references (this subtask does not require tests with a computer). Answer in the context of Mitre Att&ck, and pick examples that are different from the chapter in task x.
    • Define tactic and give an example.
    • Define technique and subtechnique, and give an example of each.
    • Define procedure, and give an example of each.
  • a) Webgoat: A3 Sensitive data exposure
    • Insecure Login: 2 Let's try
  • n) Voluntary bonus: "Testing yourself" in Costa-Gazcón: Practical Threat Intelligence and Data-Driven Threat Hunting Chapter 4: Mapping the Adversary
  • m) Voluntary difficult bonus: WebGoat: SQL Injection (advanced).

Tips:

Adminstrivia

I will keep updating this page during and after the course.